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Secure key distribution among two remote parties is impossible when both are classical, unless some 
unproven (and arguably unrealistic) computation-complexity assumptions are made, such as the difficulty 
of factorizing large numbers. On the other hand, a secure key distribution is possible when both parties are 
quantum. What is possible when only one party (Alice) is quantum, yet the other (Bob) has only classical 
capabilities? Recently, a semi-quantum key distribution protocol was presented (Boyer, Kenigsberg and 
Mor, Physical Review Letters, 2007), in which one of the parties (Bob) is classical, and yet, the protocol is 
proven to be completely robust against an eavesdropping attempt. Here we extend that result much further. 
We present two protocols with this constraint, and prove their robustness against attacks: we prove that 
any attempt of an adversary to obtain information (and even a tiny amount of information) necessarily 
induces some errors that the legitimate parties could notice. One protocol presented here is identical to the 
one referred to above, however, its robustness is proven here in a much more general scenario. The other 
protocol is very different as it is based on randomization. 



I. INTRODUCTION 

Processing information using quantum two-level sys- 
tems (qubits), instead of classical two-state systems (bits), 
has lead to many striking results such as the teleportation 
of unknown quantum states and quantum algorithms that 
are exponentially faster than their known classical coun- 
terpart. Given a quantum computer, Shor's factoring al- 
gorithm would render many of the currently used encryp- 
tion protocols completely insecure, but as a countermea- 
sure, quantum information processing has also given quan- 
tum cryptography. Quantum key distribution was invented 
by Bennett and Brassard (BB84), to provide a new type of 
solution to one of the most important cryptographic prob- 
lems: the transmission of secret messages. A key dis- 
tributed via quantum cryptography techniques can be se- 
cure even against an eavesdropper with unlimited comput- 
ing power, and the security is guaranteed forever. 

The conventional setting is as follows: Alice and Bob 
have labs that are perfectly secure, they use qubits for their 
quantum communication, and they have access to a classi- 
cal communication channel which can be heard, but can- 
not be jammed (i.e. cannot be tampered with) by the eaves- 
dropper. The last assumption can easily be justified if Alice 
and Bob can broadcast messages, or if they already share 
some small number of secret bits in advance, to authenti- 
cate the classical channel. 

In the well-known BB84 protocol as well as in all other 
QKD protocols prior to [1], both Alice and Bob perform 
quantum operations on their qubits (or on their quantum 
systems). The question of how much "quantum" a proto- 
col needs to be in order to achieve a significant advantage 
over all classical protocols is of great interest. For exam- 
ple, [2, 3, 4, 5] discuss whether entanglement is necessary 
for quantum computation, [6] shows nonlocality without 
entanglement, and [7, 8] discuss how much of the informa- 



tion carried by various quantum states is actually classical. 
This discussion was extended into the quantum cryptog- 
raphy domain in [1] where we presented and analyzed a 
protocol in which one party (Bob) is classical. For our 
purposes, any two orthogonal states of the quantum two- 
level system can be chosen to be the computational basis 
|0) and For reasons that will soon become clear, we 
shall now call the computational basis "classical" and we 
shall use the classical notations {0, 1} to describe the two 
quantum states {|0), |1)} defining this basis. In the pro- 
tocols we discuss, a quantum channel travels from Alice's 
lab to the outside world and back to her lab. Bob can ac- 
cess a segment of the channel, and whenever a qubit passes 
through that segment Bob can either let it go undisturbed 
or (1) measure the qubit in the classical {0, 1} basis; (2) 
prepare a (fresh) qubit in the classical basis, and send it; 
(3) reorder the qubits (by using different delay lines, for 
instance). If all parties were limited to performing only op- 
erations (l)-(3), or doing nothing, they would always be 
working with qubits in the classical basis, and could never 
obtain any quantum superposition of the computational- 
basis states; the qubits can then be considered "classical 
bits"; the resulting protocol would then be equivalent to 
an old-fashion classical protocol, and therefore, the oper- 
ations themselves shall here be considered classical. We 
term this kind of protocol "QKD protocol with classical 
Bob" or Semi-Quantum Key Distribution (SQKD). We dis- 
cuss and analyze two different variants of such a proto- 
col. In one Bob performs operations (1) and (2) or trans- 
fer the qubit back to Alice; this variant is therefore named 
measure-resend SQKD. The other variant is based on ran- 
domization and named randomization-based SQKD. In this 
variant Bob is restricted to perform operations (1) and (3), 
or do nothing. This work extends the results of [1], by first 
generalizing the conditions under which the results of [1] 
hold for the measure-resend SQKD, specifically, proving 
that robustness still holds when the qubits are sent one by 
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one and are attacked collectively. In addition we define and 
analyze a randomization-based SQKD which leaks no in- 
formation at all and results with a secret string with entropy 
exponentially close to its length. We provide a full proof of 
robustness for this variant as well. 

To define our protocols we follow the definition (see for 
instance [9]) of the most standard QKD protocol, BB84. 
The BB84 protocol consists of two major parts: a first part 
that is aimed at creating a sifted key, and a second (fully 
classical) part aimed at extracting an error-free, secure, fi- 
nal key from the sifted key. In the first part of BB84, 
Alice randomly selects a binary value and randomly se- 
lects in which basis to send it to Bob, either the computa- 
tional ("Z") basis {|0), |1)}, or the Hadamard ("X") ba- 
sis {|+), |— )}■ Bob measures each qubit in either basis 
at random. An equivalent description is obtained if Alice 
and Bob use only the classical operations (1) and (2) above 
and the Hadamard[20] quantum gate H. After all qubits 
have been sent and measured, Alice and Bob publish which 
bases they used. For approximately half of the qubits Al- 
ice and Bob used mismatching bases and these qubits are 
discarded. The values of the rest of the bits make the sifted 
key. The sifted key is identical in Alice's and Bob's hands 
if the protocol is error-free and if there is no eavesdrop- 
per (known as Eve) trying to learn the shared bits or some 
function of them. In the second part Alice and Bob use 
some of the bits of the sifted key (the TEST bits) to test 
the error-rate, and if it is below some pre-agreed threshold, 
they select an INFO string from the rest of the sifted key. 
Finally, an error correcting code (ECC) is used to correct 
the errors on the INFO string (the INFO bits), and privacy 
amplification (PA) is used to derive a shorter but uncondi- 
tionally secure final key from these INFO bits. At that point 
we would like to mention a key feature relevant to our pro- 
tocols: it is sufficient to use qubits in just one basis, Z, for 
generating the INFO string, while the other basis is used 
only for finding the actions of an adversary [10]. 

A conventional measure of security is the information 
Eve can obtain on the final key, and a security proof usu- 
ally calculates (or puts bounds on) this information. The 
strongest (most general) attacks allowed by quantum me- 
chanics are called joint attacks. These attacks are aimed 
to learn something about the final (secret) key directly, by 
using a probe through which all qubits pass, and by measur- 
ing the probe after all classical information becomes pub- 
lic. Security against all joint attacks is considered as "un- 
conditional security". The security of BB84 (with perfect 
qubits sent from Alice to Bob) against all joint attacks was 
first proven in [9, 1 1, 12] via various techniques. 

II. ROBUSTNESS 

An important step in studying security is a proof of ro- 
bustness; see for instance [13] for robustness proof of the 
entanglement-based protocol, and [14, 15] for a proof of 
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FIG. 1 : (a) Eve's maximum (over all attacks) information on the 
INFO string vs. the allowed disturbance on the bits tested by Al- 
ice and Bob, in a completely robust (solid line), partly robust 
(dashed), and completely nonrobust (densely dotted) protocol, 
(b) Robustness should not be confused with security; Eve's max- 
imum information on the final key vs. allowed disturbance in a 
secure protocol; such a protocol could be completely or partly 
robust. 



robustness against the photon-number-splitting attack. Ro- 
bustness of a protocol means that any adversarial attempt 
to learn some information necessarily induces some dis- 
turbance. It is a special case (in zero noise) of the more 
general "information versus disturbance" measure which 
provides explicit bound on the information available to Eve 
as a function of the induced error. Robustness also gener- 
alizes the no-cloning theorem: while the no-cloning theo- 
rem states that a state cannot be cloned, robustness means 
that any attempt to make an imprint of a state (even an 
extremely weak imprint) necessarily disturbs the quantum 
state. 

A protocol is said to be completely robust if nonzero 
information acquired by Eve on the INFO string implies 
nonzero probability that the legitimate participants find er- 
rors on the bits tested by the protocol. A protocol is said to 
be completely nonrobust if Eve can acquire the INFO string 
without inducing any error on the bits tested by the proto- 
col. A protocol is said to be partly robust if Eve can ac- 
quire some limited information on the INFO string without 
inducing any error on the bits tested by the protocol. 

Partially robust protocols could still be secure, yet com- 
pletely nonrobust protocols are automatically proven inse- 
cure. See also Fig. 1. As one example, BB84 is fully ro- 
bust when qubits are used by Alice and Bob but it is only 
partly robust if photon pulses are used and sometimes two- 
photon pulses are sent. The well known two-state protocol 
(also called Bennett92 protocol) is not fully robust even if 
perfect qubits are used, if realistic channel losses are taken 
into account. Such partly robust protocols can still lead to a 
secure final key if enough bits are sacrified for privacy am- 
plification. On the other hand, such partly robust protocols 
can become completely nonrobust (and therefore totally in- 
secure) if the loss rate is sufficiently high. 
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ni. MOCK PROTOCOL AND ITS COMPLETE 
NONROBUSTNESS 

Consider the following mock protocol: Alice flips a coin 
to decide whether to send a random bit in the computa- 
tional basis {|0), |1)} ("Z"), or in the Hadamard basis 
{|+), |-)} ("X"). Bob flips a coin to decide whether to 
measure Alice's qubit in the computational basis (to "SIFT" 
it) or to reflect it back ("CTRL"), without causing any mod- 
ification to the information carrier. In case Alice chose Z 
and Bob decided to SIFT, i.e. to measure in the Z basis, 
they share a random bit that we call SIFT or sifted bit (that 
may, or may not, be confidential). In case Bob chose CTRL, 
Alice can check if the qubit returned unchanged, by mea- 
suring it in the basis she sent it. In case Bob chose to SIFT 
and Alice chose the X basis, they discard that bit. The idea 
that just one basis, the Z-basis, is sufficient for the key gen- 
eration (while the other basis is used for finding the actions 
of an adversary) appeared already in [10]. The above it- 
eration is repeated for a predefined number of times. At 
the end of the quantum part of the protocol Alice and Bob 
share, with high probability, a considerable amount of SIFT 
bits (also known as the "sifted key"). In order to make 
sure that Eve cannot gain much information by measuring 
(and resending) all qubits in the Z basis, Alice can check 
whether they have a low-enough level of discrepancy on 
the X-basis CTRL bits. In order to make sure that their 
sifted key is reliable, Alice and Bob must sacrifice a ran- 
dom subset of the SIFT bits, which we denote as TEST bits, 
and remain with a string of bits which we call INFO bits 
(INFO and TEST are common in QKD, e.g., in BB84 as 
previously described). 

By comparing the value of the TEST bits, Alice and Bob 
can estimate the error rate on the INFO bits. If the error rate 
on the INFO bits is sufficiently small, they can then use an 
appropriate Error Correction Code (ECC) in order to cor- 
rect the errors. If the error rate on the X-basis CTRL bits is 
sufficiently small, Alice and Bob can bound Eve's informa- 
tion, and can then use an appropriate Privacy Amplification 
(PA) in order to obtain any desired level of privacy. 

At first glance, this protocol may look like a nice way to 
transfer a secret bit from quantum Alice to classical Bob: It 
is probably resistant to opaque (intercept-resend) attacks. 

However, it is completely non-robust; Eve could learn 
all bits of the INFO string using a trivial attack that induces 
no error on the bits tested by Alice and Bob (the TEST and 
CTRL bits). She would not measure the incoming qubit, but 
rather perform a cNOT from it into a |0^) ancilla[21]. If 
Alice chose Z and Bob decides to SIFT (i.e. measures in 
the Z-basis), she measures her ancilla and obtains an exact 
copy of their common bit, thus inducing no error on TEST 
bits and learning the INFO string. If, however. Bob de- 
cides on CTRL, i.e. reflects the qubit. Eve would do another 
cNOT from the returning qubit into her ancilla. This would 
reset her ancilla, erase the interaction she performed, and 
induce no error on CTRL bits, thus removing any chance of 



her being caught. In the following Section we present two 
protocols which overcome this problem via two different 
methods. 



IV. TWO SEMI-QUANTUM KEY DISTRIBUTION 
PROTOCOLS 

The following two protocols remedy the above weakness 
by not letting Eve know which is a SIFT qubit (that can be 
safely measured in the computational basis) and which is a 
CTRL qubit (that should be returned to Alice unchanged). 
Both protocols are aimed at creating an n-bit INFO string 
to be used as the seed for an /-bit shared secret key. 



A. Protocol 1: Randomization-based SQKD. 

Two versions are presented, both based on randomizing 
the returned qubits: Protocol 1 depends on a single param- 
eter (5 > and is not completely-robust; Protocol 1', with 
an additional parameter e < 1 such that < e < 5 and 
with Step 7' replacing Step 7, is completely robust. 

Let n, the desired length of the INFO string, be an even 
integer and let 5 > be some fixed parameter. 

1. Alice sends N = [8n(l + (5)] qubits. For each of the 
qubits she randomly selects whether to send it in the 
computational basis (Z) or the Hadamard basis (X). In 
each basis she sends random bits. 

2. For each qubit arriving. Bob chooses randomly whether 
to measure it (to SIFT it) or to reflect it (CTRL). Bob 
reorders randomly the reflected qubits so that no one, 
neither Alice nor Eve, could tell which of them were 
reflected. 

3. Alice collects the reflected qubits in a quantum 
memory [22]. 

4. Alice publishes which were her Z bits. Bob publishes 
which were his CTRL qubits, and in which order they 
were reflected; Alice then measures all the returned 
CTRL qubits in the basis she prepared them. 

It is expected that for approximately X/4 bits, Alice used 
the Z basis and Bob chose to SIFT (these are the SIFT bits, 
which form the sifted key); for approximately X/4 bits, 
Alice used the Z basis and Bob chose CTRL (we refer to 
these bits as Z-CTRL), and for approximately X/4 bits, 
Alice used the X basis and Bob chose CTRL (we refer to 
these bits as X-CTRL). In the rest of the bits. Bob expects 
a uniform distribution. Cf. Fig 2. 

5. Alice checks the error-rate on the CTRL bits and if either 
the X error-rate or the Z error-rate is higher than some 
predefined threshold Pctrl the protocol aborts. 
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(d) Alice announces publicly qi . . . g„; Bob thus 
learns that Vq^ . . . Vq^ is the INFO string. 

We will show that the protocol aborts with exponentially 
small probability and leaks no information to Eve as long 
as she is undetectable. 



FIG. 2: Bit usage summary 



B. Protocol 2: Measure-Resend SQKD 



6. Alice chooses at random n SIFT bits to be TEST bits. 
She publishes which are the chosen bits. Bob publishes 
the value of these TEST bits. Alice checks the error-rate 
on the TEST bits and if it is higher than some predefined 
threshold Ptest the protocol aborts. Else, let v be the 
string of the remaining SIFT bits. 

7. Alice and Bob select the first n bits in v to be used as 
INFO bits. If there is no errors or eavesdropping, Alice 
and Bob share the same string. Otherwise, Bob's string 
is likely to differ from the the INFO string until corrected 
in Step 8 below. 

Unfortunately, Protocol 1 is not robust: we will show how 
Eve can count the number of "0"s and "l"s measured by 
Bob (i.e. the Hamming weight of the measured string) 
without being detectable and get about 0.3 bits of infor- 
mation on the INFO string, whatever its length (and prove 
she can not do better). 

To make sure Eve cannot use statistics of occurrence of 
"0"s and "l"s in the INFO string. Protocol 1' will fix in 
advance a subset of {0, 1}" to be used for the n-bit INFO 
strings. A new parameter e < 1 such that < e < 5 is 
introduced and the set of info strings is 
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where \y\ denotes the Hamming weight of y. When e = 0, 
is the set of n-bit strings with Hamming weight n/2; 
for e = 1 (which can happen if 5 > 1), /„ ^ = {0, 1}". 
We will prove that when e > 0, the information carried by 
a random y € /„,e is exponentially close to n bits (in the 
parameter n). In that case, the set In,e is a "good set" of 
INFO strings. When e = 0, /„.o has entropy of the order 
n — 0.5 log2(n) bits. 

As for robustness, it is obtained by replacing Step 7 by 
Step 7': 

7'. (a) Alice chooses a substring x of t> of length 2h with 
h zeros and h ones, where h = [(1 + e)n/2j; 
if she can not choose such a string, the protocol 
aborts. 

(b) Alice chooses randomly y S /„ e. 

(c) Alice chooses randomly a list of distinct indices 
qi . . .Qn such that Xq^ . . . Xq^ = y. 



Our second protocol does not require Bob to random- 
ize the qubits as in Step 2. Instead, Bob either measures 
and resends the qubit (siFTs it) or reflects it (CTRL). Fur- 
thermore, Alice does not need to delay the measurement of 
the returning qubits until Step 4, because immediately in 
Step 3 she knows in which basis to measure. 

The protocol is essentially the same as the previous one, 
with steps 1 to 7, but with steps 2, 3 and 4 modified to cor- 
respond to the new simplified sifting procedure; the modi- 
fied steps are: 

2. For each qubit arriving, Bob chooses randomly whether 
to measure and resend it in the same state he found (to 
SIFT it) or to reflect it (CTRL). Again, no one, neither 
Alice nor Eve, can tell which of the qubits were re- 
flected. 

3. Alice measures each qubit in the basis she sent it. 

4. Alice publishes which were her Z bits and Bob pub- 
lishes which ones he chose to SIFT. 



C. Classical Post-Processing. 

The full protocol for the generation of the final key com- 
prises any one of the above "semi-quantum" protocols, plus 
the "classical" step: 

8. Alice publishes ECC & PA data, from which she and 
Bob extract the /-bit final key from the INFO string. 

If the ECC is of rank R, publishing the ECC data entails 
publishing the parities of n — R substrings of the INFO 
string, i.e. up to n — ii bits of information on the INFO 
string. This step must thus be excluded from the definition 
of robustness or else no protocol would ever be robust un- 
less the ECC is degenerate (of rank n) and unable to correct 
any error (the minimal distance being 1). The /-bit key is 
chosen such that I < R and it is the information on this 
final /-bit key that needs to be proven negligible to prove 
the security of the above protocols. 



V. PROOFS OF ROBUSTNESS 

We first show that Eve cannot obtain information on 
INFO bits in Protocol 2 without being detectable for the 
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case in which the qubits are sent by Alice one by one as 
well as as the case they are sent together. This is performed 
by considering the general case in which Alice sends the 
qubits one by one but does not wait for a returning qubit be- 
fore sending the next one (so that Eve can collect the qubits 
and attack them collectively). The scenario analyzed in [1] 
is a specific case of the setup we analyze here. We then 
bound the information Eve can get with Protocol 1 without 
inducing errors on TEST and CTRL bits and finally prove 
the complete robustness of Protocol 1'. 



A. Complete Robustness of Protocol 2. 

1. Modeling the protocol. 

Each time the protocol is executed, Alice sends to Bob 
a state \(j)) which is a tensor product of N qubits, each of 
which is either |+), |— ), |0) or |1); those qubits are in- 
dexed from 1 to N. Each of those qubits is either measured 
by Bob in the standard basis and resent as it was measured 
or simply reflected. We denote m the set of bit positions 
measured by Bob; this is a subset of [1 . . . A^] that we rep- 
resent by an increasing list of r integer positions rrii . . . rrij. 
corresponding to Bob measuring the r qubits with index 
TTi-i, . . . , rrij.. For i E {0, 1}^, we denote 

the substring of i of length r selected by the positions in 
m; of course |z„i) = \im^im2 • • • «mj- 

In the protocol, it is assumed that Bob has no quan- 
tum register; he measures the qubits as they come in. The 
physics would however be exactly the same if Bob used a 
quantum register of r qubits initialized in state |0^) = IC) 
(r qubits equal to 0), applied the unitary transform defined 
by[23] 

Mra\iW) = \i)\ira) (2) 

for i G {0, 1}^, sent back \i) to Alice and postponed 
his measurement to be performed on that quantum regis- 
ter \im)\ the qubits indexed by m in \i) are thus automat- 
ically both measured and resent, and those not in m sim- 
ply reflected; the /cth qubit sent by Alice is a SIFT bit if 
k £ m and is either |0) or |1); it is a CTRL bit ifk^m. 
This physically equivalent modified protocol simplifies the 
analysis and we shall thus model Bob's measurement and 
resending, or reflection, with M„j. In most cases, Bob's 
measurement will be performed bitwise; for each k in m 
we will denote Mk the unitary that performs an exclusive 
or between fc-th qubit in i and on the corresponding qubit 
ik in Bob's probe i.e. Mk\ik)\jk) = \ik)\3k © k)- It fol- 
lows that 



2. Eve 's attack. 

The special case where all qubits go from Alice to Bob 
before coming back, which happens if they are sent in par- 
allel, was analyzed in [1]. Eve's most general attack is then 
comprised of two unitaries: Ue attacking qubits as they go 
from Alice to Bob and Up as they go back from Bob to Al- 
ice, where Ue and Up share a common probe space with 
initial state |0^). The shared probe allows Eve to make 
the attack on the returning qubits depend on knowledge 
acquired by Ue (if Eve does not take advantage of that 
fact, then the "shared probe" can simply be the compos- 
ite system comprised of two independent probes). Any at- 
tack where Eve would make U p depend on a measurement 
made after applying Ue can be implemented by a unitaries 
Ue and Up with controlled gates so as to postpone mea- 
surements; since we are giving Eve all the power of quan- 
tum mechanics, the difficulty of building such a circuit is of 
no concern. Eve can use at will a general-purpose quantum 
computer. 

The following (more general attack) is possible if Bob 
is expecting qubits in a sequence yet Alice does not wait 
for a returning qubit before sending the next one. Since 
Eve has access to a quantum memory, she can wait till she 
gets all qubits \(p) sent by Alice before proceeding. Once 
she got them all, the most general attack she can perform 
applies a unitary transform to 1 0^ ) 1 0) , sends the first qubit 
to Bob, waits till it comes back from Bob to then repeat the 
same action (with a possibly different unitary each time) 
for each qubit in a sequence. When Eve has attacked all 
qubits forth and back, she sends them back to Alice (one 
by one if needed). 

More formally let Jifp = (g)jL^ be the space of the 
protocol, where each is the two dimensional Hilbert 
space corresponding to the fc-th qubit and let Jifp be Eve's 
probe space; once Eve holds \(f)) she applies a unitary Ui 
on |0^)|</)) and sends Bob qubit 1 (corresponding to J^i). 
For each qubit k from 1 to — 1, when Eve receives qubit 
k back from Bob, she applies Uk+i on J^e S?> '^p and 
then sends qubit k + 1 to Bob. When Eve receives qubit 
N from Bob, she applies U^+i on rJifp © J^p, sends the 
N qubits to Alice and keeps her probe. Eve's attack is 
thus characterized by a sequence {Uk}i<k<N+i of unitary 
transforms on J^p ® ^^p- 

The attack in [1] where Eve applies Ue to all qubits, 
sends them to Bob, and applies Up on their way back corre- 
sponds to the attack where Ui = Up, U2 = ■ ■ ■ = Ujm = I 
and J/tv+i = Up i.e. Eve uses Up on all qubits when she 
receives them, does nothing till she got all qubits back and 
then applies Up. 

Another prococol, whose robustness can be proved with 
the methods of [1] and which is briefly mentioned in its 
conclusion requires each qubit to be sent individually, Al- 
ice sending each qubit only when she received the previ- 
ous one from Bob. Eve also uses a global probe initialized 
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to |0^) but she is forced to attack qubits individually. For 
each qubit k from 1 to N, Eve applies a unitary U'^^ acting 
on and J^[24] before sending it to Bob and applies 
a unitary u'^^ acting on the same spaces on the way back. 
The robustness of the individual-qubit protocol follows im- 
mediately from the robustness of Protocol 2 under the lim 
ited class of attacks where Ui 



for 1 < k < N and Un+i 
turned all together to Alice). 



^ E 



Up (and qubits are re- 



3. The final global sta te. 

Delaying all measurements allows considering the 
global state of the Eve+Alice+Bob system before all ac- 
tual measurements; Eve's and Bob's actions are described 
by unitary transforms. The initial state is |0^)|(/>)|0^); 
Eve's unitary transforms Ui, U^^i act on the first 
two Hilbert spaces whilst Bob's measurements per- 
formed when he receives qubit k with k £ m act on 
the last two spaces. For instance, if = 4 and 
m = (1,3) then the final global state of the system is 
[/5C/4M3[/3f/2MiC/i|0^)|i)|0^) where measurement Mi 
on qubit 1 occurs immediately after Eve applies Ui and 
measurement M3 on qubit 3 occurs immediately after Eve 
applies C/3. 

The attacks {Uk}i<k<N+i we are interested in are only 
those for which Eve is completely undetectable. Such at- 
tacks put strong restrictions on the global evolution of the 
system. In what follows, when we say that an attack in- 
duces no error on CTRL and TEST, we mean that for any 
choice of CTRL and TEST bits whose probability of occur- 
rence according to protocol 2 is not 0, the probabililty that 
Eve's attack induces an error on them is 0. 

Proposition 1. If the attack {Uk}i<k<N+i induces no er- 
ror on TEST and CTRL bits, and if Alice sent state \i) with 
i £ {0, 1}^, then there is a state \Fi) £ ,J^e such that, 
for all m, the final global state of the system after applying 
Un+i is 

\Fm\im)- (3) 

Proof. The final global state of the system can always be 
written as '^jj, where \ j) is the standard ba- 

sis of M'p and \ of Bob's probe space; If the protocol 
induces no errors on TEST bits, it must be so that for all 
m, \Eijj') = for 7^ im and thus the final global state 
must be \Eiji^)\i)\ijn) ■ Moreover, if there is no er- 
ror on CTRL bits, then the probability for Alice to mea- 
sure any |j) that is not \i) must be zero. She can in- 
deed choose any qubit not in m as a Z-CTRL bit; she also 
checks all the qubits measured by Bob, which must also 
coincide with those she sent since i £ {0, 1}^. Conse- 
quently I Eiji^ ) = if J 7^ z and the final state must be 
\E,i,)\i)\i„,). 



We now prove that l-E^i.^) does not depend on 
Let Z be the linear map defined by Z\e)\j)\j') = 
|e)|j)|0^) i.e. Z is the linear map on Bob's probe space 
that maps its standard basis states on the state |0^). It 
is clear that ZUk = UkZ and ZMk = Z for all 
k. If we look at the particular case where = 4 
and m = (1,3), i.e. Bob measures qubits 1 and 3, 
this implies that ZU5U4M3U3U2MiUi\0^)\i)\0^) = 
U5U,U,U2U,Z\0^)\i)\0^) = U,UiU3U2U,\0'')\i)\0^). 
Applying Z to the final state just gives the final state ob- 
tained if m is empty. If we apply Z to \Eiii^)\i)\im) we 
get \Eiii^)\i)\0^) and this state must be equal to the fi- 
nal global state when m is empty. This implies that for 
all values of m, the states lEm^) must be the same; we 
call them \Fi) and this gives \Fi) \i) \im) as the final global 
state. Note that the Eve's state 1^^) is not entangled with 
the system \i) sent back to Alice, nor with Bob's register 

\i,n)- □ 

We now show that if Eve's attack is undetectable by Al- 
ice and Bob, then Eve's final state is independent of 
the string i £ {0,1}^. More precisely. 

Proposition 2. If{Uk}i<k<N+i is an attack on Protocol 2 
that induces no error on TEST and CTRL bits, then for all 
£ {0,1}^ 



,i' G {0,1} 



N 



\F,] 



IK-') 



(4) 



Proof. For any index k, let Alice's A;-th qubit be in state 
|+), and all the other qubits be prepared in the Z-basis. 
Alice's state can be written ^[|^) + 1^')] where £ 
{0, 1}^, ik = 0, i[ = 1, and it = i[ for t / k. 
Let Bob choose m such that k ^ m; such an m ex- 
ists because N > 2 and then = i'^. By the pre- 
vious proposition and linearity, the final global state is 
^ [1-^0 + l-K')K')] Km)' since we are interested only 
in Alice's k-th qubit, we trace-out all the other qubits in 
Alice and Bob's hands and get the state 



V2 



mm + \mi) 



if |0) and 1 1) are replaced by their values in term of | +) and 



this rewrites | 



\F„ 



and since the probability that Alice measures |— ) must 



be 0, 



\E] 



\E') 



i.e. IF,,; 



\Fii). The above 



holds for any /; any bit in i can be flipped without affecting 
\Fi) and thus |F,) is the same for all i £ {0, 1}^. □ 

Theorem 3. For any attack {Uk}i<k<N+i on Protocol 2 
that induces no error on TEST and CTRL bits. Eve's final 
state is independent of the state \(f>) sent by Alice, and Eve 
has thus no information on the INFO string. 
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Proof. By Proposition 2, there is a state Ffinai of Eve's 
probe space such that for all i G {0, 1}^, Eve's final state 
\Fi) = iFfinai). By Proposition 1, for all i G {0,1}^ 
and all m, the final state after applying C/tv+i if Alice 
sends \i) is thus |-Ffinai)|i)|im)- For all superpositions 
10) = Ci\i) that Alice may send, and all m, the final 
state of the Eve+Alice+Bob system after applying C/jv+i is 
consequently 

l-^final) y^QK)Km); (5) 

i 

Eve's probe state |-Ffinai) is independent of im and there- 
fore of the SIFT bits and INFO bits — if Eve is to be unde- 
tectable. □ 

The above theorem means that Protocol 2 is completely 
robust. 



B. Partial robustness of Protocol 1. 

1. Modeling the protocol. 

The states | (j)) sent by Alice are still products of qubits 
each of which is either |+), |— ), |0) or In Step 2 of the 
protocol. Bob either measures a qubit, or reflects it; more- 
over, he reorders randomly the reflected qubits; let r be the 
number of reflected qubits and let s = S1S2 . . . be the 
list of those r randomly ordered bit positions. For instance, 
if r = 4, and Bob reflects qubits 8, 1, 5 and 4 in that order 
then s = 8154 (examples will use positions from 1 to 9 to 
avoid comma separated lists). The list of non-reflected bits 
is indexed by the complement s and will always be listed in 
ascending order; if = 9 and s = 8154 then s = 23679. 
Bob's measurement can still be postponed, but this time, 
since Bob keeps the qubits selected by s without sending 
a copy, there is no need to copy. For all string s we still 
denote = i^^ . . . i^^ the list of bits selected by s in the 
order specified by s; Bob's operation is then captured by 

u:\i) = \ism 

where is the state reflected to Alice, and \ig) the state 
(to be) measured by Bob. With iV = 9 and s = 8154, 
and if Alice sent |ii . . . ig) with ii, . . . ,ig E {0, 1}, the 
state reflected is \isi1i5i4) and the state to be measured 
^2*3^6^7^9)- Of course, Alice can compare with what 
she actually sent only when s is known and consequently 
keeps in quantum memory. With these notations, qubit 
k is CTRL ifkes and it is SIFT if it is either |0) or |1) and 
k ^ s. 

2. Eve 's attack. 

Eve's most general attack is still comprised of two uni- 
taries: Ue and Up sharing a common probe space; Ue is 



applied on |0^) and |(/>) and attacks qubits as they go from 
Alice to Bob; Up is applied on Eve's probe and as 
those bits go back from Bob to Alice; one slightly annoy- 
ing problem is that the dimension of the space on which 
U F acts is not fixed; it depends on the size of s, i.e. the 
number of bits reflected by Bob; there is thus one unitary 
U F for each r > 0. 



3. The global final state. 

Since Bob uses no probe space, the global state after Eve 
applies Ue is simply Ue\^^)\4>)', then Bob applies U'^ to 
his part of the system, which corresponds to the global uni- 
tary Ie U'^ where Ie is the identity on Eve's probe space. 
Then Uf is applied only on Eve's probe and |is); if we de- 
note Is the identity on the system left in Bob's hands, given 
by the qubits selected by s, the final global state is then 

[Uf0Is][Ie0U:]Ue\O''M. (6) 

Proposition 4. If (U e,Uf) is an attack on Protocol 1 such 
that Ue induces no error on TEST bits then there are states 
\Ei) in Eve's probe space such that for alii G {0,1}^, 

UE\0'')\i) = \E,)\i). (7) 

If moreover Up induces no error on CTRL bits, then there 
are states l-Fs.i) of Eve's probe space such that for all i G 
{0, 1}^, andall sequence s of distinct elements of [1 .. N], 

UF\E,)\is) = \FsMs)- (8) 

Proof. UE\0^)\i) can be expanded as \Eij)\j) and 
since for any k there must be a probability of getting jj, 
different from ik (there is a non zero probability that Bob 
chooses bit A; as a TEST bit), \Eij) = for j 7^ i and thus 
(7) holds with \Ei) = lEa). In Step 4, Bob pubhshes 
the bit positions s and, for Eve's attack to be unnotice- 
able by Alice, the state held by Alice after Up is applied 
to \Ei)\is) needs to be equal to \is). By Hilbert-Schmidt, 
this implies that the bipartite state Up\Ei)\is) must be of 
the form \F)\is). The pure state \F) depends here on i, 
both through \ Ei) and i^, and also on the string s chosen to 
select the reflected qubits, i.e. |F) is a function i and s and 
will be written |-Fs.i), giving Eq. (8). □ 

When the attack (Up, U p) induces no error on TEST and 
CTRL bits then, using (6), (7) and (8), 

[Up0lB][lE0U:]UE\O'')\i) = \Fs,.)\is)\i,). (9) 

One can no longer expect Eve's final state |-Fs,i) after 
Alice sent state \i) and Bob reflected the qubits specified 
by s to be constant, as is shown in the following example: 
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Example 1. Let Eve's probe space be of dimension + 1 
with basis states |0) ... | A^). Eve's initial state is |0). Let 
UEmi) = mdUF\h)\j) = \h-\j\)\j). This 

means that Ue puts in the probe the Hamming weight 
h = \i\ of the string i E {0,1}^ if Alice sends state 
\i), and U p subtracts from the probe the Hamming weight 
of the string \j) returned by Bob. In particular \Fs_i) = 
IH ~ = IKsD- For Up to be defined on all basis 
states assume the difference is modulo + 1. Bob can 
clearly detect no error on TEST bits. Moreover, if Alice 

sends = c,|i), the final state is Cj|Ns|)|«s)Ns) 
and, once Bob has measured \ ig), Eve's probe factors 
out and the resulting state in Alice's hands is the same as 
if Eve had applied neither Ue nor Up, i.e. the final state 
had been ^ . Ci 1 ) I i s ) I i J ) ; no error can thus be detected on 
CTRL bits. 

Example 1 shows that Eve can learn the Hamming 
weight \ig\ of the string measured by Bob and stay com- 
pletely invisible to Alice and Bob, i.e. induce no error on 
TEST and CTRL bits. Therefore, in order to make proto- 
col 1 robust, the choice of the INFO bits must be done in a 
more careful way. 

But first, we need to show that Eve can learn at most the 
Hamming weight of ig; this is a consequence of Eq. (13) 
below, which is derived from a sequence of lemmas. The 
first lemma states that all the bits in i whose index are in s 
can be flipped without changing |-Fs,i)' Protocol 2, this 
was true for all qubits in i, but then, all the qubits were 
returned. In Protocol 1 , only the qubits in s are returned to 
Alice; the following lemma shows that for a fixed s. Eve's 
state depends only on the bits kept by Bob. 

Lemma 5. For any attack {Ue, Up) on Protocol 1 that 
induces no error on TEST and CTRL bits, if\Ei) and \ Fg i) 
are given by (7) and (8) then 

ig = i'g =^ |Fs,,) = (10) 

Proof. The result is trivial if s is empty. If not, we follow 
the steps of the proof of Proposition 2 and prove this bit- 
wise; let k be an index in s, and i and i' be such that ik = 
and i'l^ = 1, all other bits being the same. Assume wig that 
k is the first element of s i.e. s = ks' and thus is = ikis'- 
If Alice sends the state + \i')] i-S- the A;th qubit sent 

by Alice is |+) and all the other qubits are prepared in the 
Z-basis, with bit values according to i, then by linearity 
and Eq. (9) the final state of the Eve+Alice+Bob system is 

Fsa)\0) + \Fs.i')\l) \is')\is); if we trace out all the 

qubits in s' and s to keep only Eve's probe and qubit k in 
Alice's hands, we get the state 



1 

V2 



1 

72 



|i^.,.>|0) + |F,,,,)|l) 



writing 1 0) and 1 1 ) in terms of | +) and | — ) and considering 
only those terms in the resulting state that contain | — ) gives 



\Fs_ 



and since the probability that Alice 



measures | — ) as the fcth qubit must be (because k S s). 



\Fs 



Fs 



0, i.e., \Fs, 



Fs 



□ 



The following lemma simply expresses the fact that, 
when Alice sends \i) and Bob reflects the qubits with in- 
dices in s then Eve's final state depends only on \i) and the 
state reflected by Bob. 

Lemma 6. For any attack {Up, Up) on Protocol 1 that 
induces no error on TEST and CTRL bits, if\Ei) and \Fs i) 
are given by (7) and (8) then for all i, s and s'. 



IF,'.. 



(11) 



Proof. If is 

\Fs_,)\is) = 



= is' then Up\Ei)\is 

\Fs'Ms')- 



Up\Ei)\is') and thus 
□ 



When Eq. (11) is used, we are using the fact that when 
Eve sees a qubit |0) (resp. a qubit |1)) coming back from 
Bob, then she cannot tell to what qubit |0) (resp. |1)) sent 
by Alice this qubit corresponds provided of course more 
than one |0) (resp. |1)) had been sent by Alice. The pre- 
ceding lemmas can be used to show that, if Eve induces no 
error on TEST and CTRL bits, then Eve's intermediate state 
\Ei) just after Ue is applied stays invariant when the bits 
in i are permuted; let us first look at an example. 

Example 2. Let = 4 and r = 2 and let us see that 
l-E'ioii) = l-E'oiii) i-e. Eve's state after the attack Up on 
the qubits from Alice to Bob is the same whether Alice 
sends state |1011) or |0111). By Eq. (10), I-F144011) = 
1-^14. 0011) which is Eve's final state when Bob reflects bits 
1 and 4 and Alice sends either |1011) or |0011). Sim- 
ilarly 1^24^0111) = 1^24^0011)- We now use Eq. (11) 
to get |i^i4,ooii) = 1-^24,0011) (Eve cannot tell if the 
returning |0) is bit 1 or bit 2); those identities imply 
|-Fi4aoii) = |-?^24,oiii)- We now go back to the definition 
of F; |-Fi4,ioii) is Eve's final state if Alice sent |1011) 
and Bob reflected the bits 1 and 4 and from Eq. (8) we get 
Up\E,oii)\n) = |Fi4,ioii)|ll) (bits 14 being 11). Sim- 
ilarly C/p-lE'oiii) I H) = |-F24,oiii)|ll) and since the r.h.s. 
members are equal and Up is unitary, lE'oiii) = |-£'ioii)- 

Following the lines of Example 2, we prove the follow- 
ing lemma. 

Lemma 7. For any attack (Up, Up) on Protocol 1 that 
induces no error on CTRL and TEST bits, if\Ei) and \Fs,i) 
are given by (7) and (8) then for all i, i' S {0, 1}^ 



\E, 



\E„) 



(12) 



Proof. Eq. (12) means that \Eii depends only on the num- 
ber of "0"s and "l"s in i, not on their positions. We need 
only show that any two (distinct) bits in i can be swapped 
without affecting \E^ and, wig, \EQXi") = \E\w) for 
any i" £ {0, 1}^^^[25]. Let s' be any sequence of dis- 
tinct elements of [3..A^]; |-Fis',ioi") = l-P'is'.ooi") and 
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\F2s',Qli" 
\F2s',00i" 



IF,,, 



2s'.00i", 



by Eq. (10); also 



by Eq. (11) and thus |Fis/.ioi 



\F2s',aii"/ 



Using Eq. (8), 

Up\E,o^")\lis') = \Fu',m.")\lis') d = Wi"; s = Is') 
Uf\Eou'')\Us') = \F2s',ou")\lis') a = OH"; s = 2s') 

and, since igi is the same for i = OH" and i = lOi" 
and |Fis'.ioi") = \F2s'fiii") the r.h.s. are equal and so 

\Eioi") = li^oij")- n 

Example 3. Lemma 5 allows replacing all bits indexed by 
s by without changing |-Fs,i)- This means for example 
that if i = 1010 and s = 34, then IF^,^) = |F34,ioio) = 
IF34.1000); similarly if i' = 0101 and s' = 12, then 
\Fs'.i') = |Fi2,oioi) = |Fi2,oooi)- This means that 
|Fs_,) depends only on the bits not indexed by s, i.e. the 
bits indexed by s. Here ig = 10 and i'^, = 01; those 
two strings have the same Hamming weight. Let us see 
that they give the same final state for Eve. By Eq. (8) 
C/f|Foooi)|00) = |Fi2oooi)|00) (Bob reflects bits 12) and 
t/F|Fiooo>|00) = |F34,iooo>|00) (Bob reflects bits 34). 
We know from Lemma 7 that |Foooi) = |Fiooo); this im- 
plies |Fi2^oooi) = |F34,iooo> and thus |F^,,) = {F^'a')- 

Example 3 provides the intuition behind the proof of the 
next proposition that is for Protocol 1 what Proposition 2 is 
for Protocol 2. 

Proposition 8. If{UE, Up) is an attack on Protocol 1 that 
induces no error on TEST and CTRL bits, and if \Ei) and 
\Fs i) are given by (7) and (8) then for all s and s' of the 
same length r > 0, and all i,i' G {0,1} 



QQi" I — as the state describing the final Eve+Alice+Bob system. 

Once Bob measures the state is projected onto a state 
where |F|i-|) factors out and Eve is thus left with a state 
that depends only on the Hamming weight of the string 
measured by Bob and thus can learn at most that Hamming 
weight. Since she knows the length of s, this means she 
can learn at most the number of "0"s and "l"s measured 
by Bob. □ 



N 



Us 



IF,. 



IF,'. 



(13) 



IF,,,) and IF,,. 



IF / ■/ 

IJ- s' ,j' 



Proof. Let j and j' be defined by 
and j^, = i'g,. Then iF^^i) 

by Eq. (10). Since |j'| = |j|, \Ej) = \Ej^) by Eq. (12); 
by Eq. (8), UF\E,)\js) = |F,,,)|j,) and UF\E,,)\j'^,) 
|F,,,,,)|j;,) and thus, since |j,) = \j'^,) = \0^), |F,.,) 



\Fsi,j' I 



Eq. (13) can be rewritten IF,.;) = |F|i-|) representing 
Eve's final state when the Hamming weight of the string 
measured by Bob is Iz^l. 

Theorem 9. With any attack on Protocol 1 that induces no 
error on TEST and CTRL bits, the eavesdropper can learn 
at most the number of "0 "s and "1 "s measured by Bob and 
Eve's final state can be written |Fji_|). 

Proof. Let {Ue,Uf) be an arbitrary attack that induces 
no error on TEST and CTRL bits. If Alice sent any su- 
perposition \(p) = X^jgjo 1}" ^'^'^ returned the 
bits selected by s, then using linearity and Eq. (9) with 

\Fs.^) = |F|,_|) for all i gives 



^c,\Fi,^l)\i, 



ig 



4. Information leaked by Protocol I. 

As shown in Example 1, Eve can indeed learn the Ham- 
ming weight of the string measured by Bob. This is why 
the mock protocol of Section 111 failed. There was only one 
SIFT bit and no permutation could ever hide its value. 

From Eq. (14) one also sees that the probability of Bob 
measuring ig is unaffected by Eve's attack, just because 
the norm of \F\i-\) is 1 (this is a normalized state); Eve's 
attack has no effect at all on Bob's statistics. The SIFT bits 
are equal to the random Z-bits chosen by Alice; the X bits 
measured by Bob are also random bits, as they would be 
without Eve's attack. 

From the string of — r bits (whose indices are in s) 
measured by Bob, about half the bits are discarded because 
Alice sent the corresponding qubit in the X-basis. The bits 
left are the SIFT bits; n of them are used as TEST bits, the 
others serve as a pool selecting the INFO bits. Eve's knowl- 
edge of liji provides indirect knowledge on the statistics of 
occurrence of "0"s and "l"s in the INFO bits and the pro- 
tocol would nevertheless not be robust if the INFO string 
was obtained by picking randomly n bits from the SIFT 
bits not used as TEST bits (or the first n ones available as 
in Protocol 2). We now give an asymptotic bound on Eve's 
accessible information. 



Theorem 10. For any attack on Protocol 1 that induces 
— no error on TEST and CTRL bits. Eve's information on the 
|— I INFO String is asymptotically less than 0.293 + 0(n^^) 
bits. 



Proof. Let N — r = knbe the number of bits measured by 
Bob; it is expected that k = 4(1+5); those bits are all ran- 
dom but Eve knows their Hamming weight. Also known 
are the indices of the SIFT bits, of the INFO bits, as well 
as the indices and values of the TEST bits. Eve thus knows 
the Hamming weight W of the kn — n remaining random 
bits that are not TEST; W is distributed binomially, with 
kn — n trials and probability 1 /2 of success. The entropy 
of a binomial distribution with n trials and probability p 
of success is l/21og2(27rep(l — p)n) + 0(l/n) where 
0(l/n) is the error [16][26]; the entropy H(W \ k) is 
thus 



(14) H{W \k) = ]^ logs { ^^e(A; - l)ri j +0 Q j . (15) 
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For any particular n-bit INFO string x, the entropy of W 
given X and k is the entropy of the a binomial distribution 
with kn — 2n trials (for the kn — 2n remaining random 
bits) and is thus 



1 



H{W \x,k) = - log, -7re{k - 2)n + O 



1 



n 



(16) 

The bits of the INFO string are random bits chosen by 
Alice and the strings x are thus equally likely; this im- 
plies \ X,k) = H{W I x,k). The information 
Eve gains on X when W is known is, for any fixed k, 
H{X I k) - H{X I W,k). It is a basic fact from infor- 
mation theory that H{X \ k) - H{X \W,k) = H{W \ 
k) — H{W I X, k) and Eve's information is thus 

I{W; X, k) = H{W I k) - H{W \ X, k) 



1 k 



1 



1 



log2 1 + 



+ 



k-2 



n 



+ 



n 



(17) 



For k > 4, I{W;X,k) < 0.293 + 0{n'^); the prob- 
ability that < 4 is exponentially small in n and thus 

I{W; X) < J2k X, k)p{k) < 0.293 + 0{n-^). 



□ 



C. Properties of Protocol 1'. 

1. The information contained in the INFO string. 

Alice chooses randomly y € /„.c to send as the INFO 
string. The information contained in y is thus the entropy 
of a uniform distribution on /„ j. 

Proposition 11. If e > 0, the entropy of the uniform dis- 
tribution on In.t is exponentially close to n (its distance to 
n is of order e""*") j. 

Proof For any integer A'^ > 0, the entropy of the uniform 
distribution on a set of N elements is log2(A^). We are 
thus looking for a lower bound on log, ( | | ) . 

Let Y = (Yi, . . . , 1^) be a uniformly distributed ran- 
dom variable on {0, 1}"; the Yi are independent Bernoullis 
with probability p = 1/2. Let Y = ^"^^ Y,/n; Y is 
nothing but |y|/n; the expectancy E\Y] is 1/2. 

n-log,{\InA) = -log2 

= -log2 (P 

By Hoeffding's inequality (29) 





F-1 


e 








< - 


) 




2 


- 2 





F-1 

2 



e 

>2 



< 2exp ( 



and thus 



n - log2(|/„,e|) < -^In (^1 - 2exp (" y^)) • 

For < X < 0.5, it is easy to verify that — ln(l — x) < 
2>x/2; thus, for n large enough (e.g. n > ln(16) /e^). 



n-log,{\InJ) < ^exp (-^n 



□ 



While the entropy is ~ n when e > 0, we now show that 
it has a gap of 0.5 log2(n) bits when e = 0. 

Proposition 12. For e = 0, the entropy of the uni- 
form distribution on /„ q is asymptotically equal to 
n-0.51og2(n)-0.5(log2(7r)-l) 

Proof. Stirling's formula gives 

( ", ) 1^ = 1- 



We get the result by taking the log. 



□ 



Thus, by choosing e > 0, we avoid asymptotically loos- 
ing more than 0.5 log2(n) bits of information. 

2. Probability of aborting Protocol 1' . 

The protocol aborts if there are less than h zeros or h 
ones left in the SIFT string after n TEST bits have been 
chosen, where h = [(1 + e)n/2j. We prove that this 
occurs with a probability that decreases exponentially with 
n. 

Proposition 13. For any < e < (5 and e < 1 fixed by 
the protocol, the probability that it aborts is exponentially 
small. 

Proof. We begin with showing that, besides an exponen- 
tially small probability, the number of SIFT bits is larger 
than N/A. We follow by showing that this is enough for 
having at least h zeros and ones, except for exponential 
probability. Let 5' be a real number such that e < 5' < 5. 
Let N = [8n(l + 5)']. For i such that 1 < i < iV, let 
Xi = lif the qubit i is SIFT and = otherwise. The 
variables Xi are clearly independent; their distribution is a 
Bernoulli with p = 0.25, as shown in Fig 2. The random 
variable S giving the number of SIFT bits is 5 = X^^^ Xi. 
Denote X = S/N; it is clear that E\X] = 1/4, and we 
can bound P[S' < A^/4] using Hoeffding (Theorem 19), 



P [5 < 2n(l + 5')] < P 
< P 



X < 
X 



11 + 5' 



< exp 



41 + 6 

1 6-6' 
- < - 
4 - 

1 /6 



8 V 1 + ^5 



4{l + 6) 

6'V \ 

n 
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and thus 



F [S > 2n{l + 6')] > 1-e 



— kin 



fork, = l/8[{6' -6)/{l + 6)]. 

For each S > 2n(l + 6'), the S bits are distributed 
uniformly. After n TEST bits are chosen, the remaining 
S—n > 2n(l+(5')— n = n(l+2(^') bits are still uniformly 
distributed. Every time there are at least h zeros and h ones 
after the n TEST bits are chosen, and in addition there are 
more than 2n(l + 6') sift bits, the protocol succeeds. As 
a consequence, the probability of success is larger than or 
equal to the probability that S > 2n(l + 6') times the 
probability that the S — n remaining bits contain at least h 
zeros and h ones, given that S > 2n(l + 6'). Let V be 
the length of the string v, i.e. V = S — n > n(l + 26'). 
Let us index the bits in v from I to V, let Zi = 1 if bit 
i is and Zi = otherwise, let Z = 
Z = Z/V; Z is thus the number of bits equal to in v; the 
Zi are Bemouilli with p = 1/2 and are independent. Let 
us denote Py the probability conditional to that particular 
value of V. The probability that there are strictly less than 
h zeros in v is bounded by 

Fv[Z <h]< Pv[Z < (1 + e)n/2] 

= Pv[Z <{l + e)n/{2V)] 
1 + e 



< P 



Z < 



2(1 + 2(5') 



1 



< 



26' 



2{l + 25')_ 



where 6' > ehy hypothesis and again, by Hoeffding (The- 
orem 19), the probability that there are not enough zeros 
when S > 2n(l + 6') is bounded by 



1 /2S' 



exp 



2 \l + 26' 



n 



and the probability that there are at least h zeros and h ones 
when S > 2n(l + 6') is larger than or equal to 1 — 2e^'^'^" 



with /c2 



1 f26' -e 



2 VI + 25 
bilty that the protocol succeeds is at least 



. As a consequence, the proba- 



which is more that 1 — 3e with k = minj/ci, k2}. It is 
exponentially close to 1 with n. □ 



D. Complete robustness of Protocol 1'. 

The assumption is that Eve's attack is undetectable, and 
we want to show that she gets no information on the INFO 



string. During the execution of the protocol. Eve learns 
which are the TEST bits, she learns their values, she learns 
the number of bits measured by Bob and, more importantly, 
her attack allows her to know their Hamming weight. We 
group all those data in the multivariate random variable R 
of which the details will be irrelevant; r will be a particular 
set of data. The execution of the protocol also gives Eve 
the set of indices q such that Vq = y. What we want to 
show is that 

/(y;Q,R) = 0, (18) 

i.e. the mutual information between the INFO string y and 
what Eve knows, namely {q, r), is zero. 



7. Probabilistic setup. 

Let F be the set of indices measured by Bob. By The- 
orem 9, if Eve is unnoticeable, her final state may depend 
only on \ip\. Eve's final state does not depend on y either. 
That implies that, whatever r Eve learns and for any value 

ye {0,1}" 



p{i I y,r) =p{i' \ y,r). 



(19) 



For h = [(1 + e)n/2j, Alice chooses 2h indices in F 
that are SIFT bits and not TEST bits, say E. Let E^ be the 
set of all balanced strings x indexed by E, i.e. 



E^ = {xe {0, 1}^ 

Lemma 14. For any x, x' G E^, 



p{x I y,r) =p{x' I y,r) 



h]. 



hV 



\En\ {2h)V 



(20) 



(21) 



Proof. To simplify notations, and without loss of gen- 
erality, assume that E = {1, . . . , 2h} so that {0, 1}^ 
is the set of bitstrings with indices from 1 to 2h, and 
F = {1, . . . , |F|}; p(x I y,r) = Y.vv' P^^'"'^' I V^"^) 
where v are all bitstrings with indices in{2/i + l,...,|F|} 
and v' are those with indices in {|F| + 1, . . . , N}\ sim- 
ilarly p{x' I y,r) = X^u^/ | y, r); if we let 
i = xvv' and i' - 
= \xv\ = \x\ 
thus, by (19), p{i \ y, r) 
are equal. 



= x'vv' then xv = ip, x'v = i'p and 
+ \v\ = \x'\ + \v\ = \x'v\ = \i'p\ and 
p{i' I y, r) and the two sums 

□ 



2. Combinatorial lemmas. 

Given a set E and k < \E\,we denote V{E, k) the set 
of permutations of k elements in E, i.e. the set of strings 
qi . . . qk of k distinct elements in E[21]; 



\r{E,> 



\E\\ 



\E\-k)V 



(22) 
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From now on, e such that 0<e<l,e<5 will be fixed, 
as well as h = [(1 + e)n/2j and E, a set of 2h indices of 
SIFT bits that are not TEST bits. For y G I„_e and x G Eh 
we let 

Q{x, y) = {q^ V{E, n)\xq = y} . 

Lemma 15. For all y S /„ e and x G E^ the number of 
elements \Q{x, y) \ of Q{x, y) is 



\Q{x,y)\ 



hi' 



{h-n+\y\y. X {h-\y\y. 



(23) 



Proof. A string y E {0, 1}" is in /„ ^ if and only if it con- 
tains at most h zeros and h ones. Let Eq = {j £ E \ 
Xj = 0} and Ei = {j e E \ xj = 1}; \Eo\ = \Ei\ = h 
and the permutations q such that Xq = y are in 1 — 1 corre- 
spondence with the elements of 

V{Eo,n-\y\)xV{E^,\y\) 

corresponding to the n — |y| indices giving a in y and the 
\y\ indices giving a 1 in y. The result follows from (22). 

□ 

Lemma 16. For all q S V{E, n) and y G 

\{x£Eh\q£ Qix, y)}\ = (^f^J^y^ (24) 

Proof. A string x €z E^ is such that q € Q{x, y) if and 
only if it satisfies Xq = y; this means that Xq^ = yi, . .., 
Xq„ = yn (bits indexed by q are fixed), the other bits are 
arbitrary provided there is a total of h bits equal to and 
h bits equal to 1 ; the desired strings are thus obtained by 
filling the 2/i — n bit positions whose indices are not in the 
list q with h — \y\ bits equal to 1 (and the others equal to 
f2h - n\ 

0); there are such strings. □ 

V^- \y\J 



Eq. (24) can be rewritten 

\{x e Eh\xq = y}\ = 



(2/i-n)! 



{h-n+\y\)lih-\y\)V 



(25) 



Proof of robustness. 



We want to show that q leaks no information on y G /„ j. 
For any fixed x £ E^ and y G /„ the probability that 
Alice sends q is l/\Q{x, y) \ H q £ Qix, y), otherwise, 
independently of any value of r: 



1 



p{q I x,y,r) 



if Xq = y 
otherwise 



(26) 



Lemma 17. For all values of r, all y £ /„ ^ and all q € 

V{E,n) 

p(g|y,r)= ^ ,^^_J . (27) 



(2/1)! 



Proof. 



P{q I y,r) = p{q I x,y,r)p{x \ y,r) 

1 



xeEh 



E 



\Q(x.y)\(2h)\ 



xeEh\xg=y 

{h-n+\y\)l{h-\y\)\ 



E 



{2hy. 



xeEh\xg=y 

^ i2h-ny.{h-n+\y\y.{h-\y\y. 

{h-n+\y\y{h-\y\y{2hy 
_ (2/i-n)! 

where the second equality is due to (21) and (26), and the 
third and forth equalities are given by (23) and (25). □ 

Theorem 18. For all e and 5 such that < e < 1 and 
e < 5, the protocol is completely robust, i.e. if Eve is unde- 
tectable by the legitimate parties, then I{Y; Q, R) = 0. 

Proof. The parameters n and e are constants of the pro- 
tocol; they are fixed before all random choices of Al- 
ice or Bob, and all measurements. So is the value h = 
[(1 + e)n/2j. The right-hand side of Eq. (27) is thus 
a constant [2 8] and Lemma 17 implies that the random 
variables Q and (Y, R) are independent: p(q, y, r) = 
p{q)p{y, r); the variables Y and R must also be indepen- 
dent, because Alice chooses y randomly, independently of 
everything else: p(y,r) = p{y)p{'r). This implies that 
y, r) = p{q)p{y)p{r), Y is independent of ((5,R), 
therefore I(Y; Q, R) = 0. □ 



VI. CONCLUSION 

We presented two protocols for QKD with one party per- 
forming only classical operations: measure a qubit in the 
classical {0, 1} basis, let the qubit pass undisturbed back 
to its sender, randomize the order of several qubits, or re- 
send a qubit after its measurement. We proved the robust- 
ness of these protocols; this provides intuition why we be- 
lieve they are secure. We hope that this work sheds light on 
"how much quantumness" is required in order to perform 
the classically-impossible task of secret key distribution. 
This work extends the previous work [17] and the con- 
ference version [18] by two aspects: it proves robustness 
of the measure-resend SQKD Protocol for a more general 
scenario and proves the full robustness of a randomization- 
based SQKD Protocol, eliminating any information leak to 
the adversary. 
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Note that in this work we assumed perfect qubits. We 
leave the examination of our protocol against PNS and 
other implementation-dependent attacks to future research. 
This work was partially supported by the Israeli MOD. We 
thank Moshe Nazarathy for providing the motivation for 
this research. 



where exp(x) = e^. When < < 1, this gives (by 
symmetry for (28) and summation for (29) j 



APPENDIX p 

Theorem 19 (Hoeffding). (Hoeffding [19]) If Xi, . . . , P 
are independent random variables with finite first and sec- 
ond moments, P [a^ < < 6^] = 1 for 1 < i < n, and P 



1 

X = — } Xj, then 

1=1 



X - E{X\ > K 



< exp {—2k n) 



X - E[X] <-K< exp {-2K^n) 



\X -E[X] \ > K 



< 2 exp (-2K'^n) 



(28) 
(29) 



X - E[X] > K 



< exp 



2k n 



2„2 
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